I have implemented a CNG key storage provider and propagate my certificate according to the answer to this question to the MY store. I can see my certificate there using the MMC console. However, when a website requires the certificate for mutual authentication the browser (Chrome, Firefox, Edge) does not show the certificate for selection.

First I thought it could be an issue with the key usage, but if I request a certificate for the same certificate template to store it on a smart-card it is shown by the browser (The smart-card uses the standard providers).

So I think it has something to to with my key storage provider, but I cannot figure out what is wrong nor do I have a clue how to track the problem down.

Some sources in the web say that CNG is not supported for mutual authentication but they are quite old and the mentioned solution states the opposite so I am quite unsure if what I am trying to achieve is possible at all.

EDIT

Adding the code for propagation (perhaps the culprit for the behaviour):

EDIT 2
Finally I got the certificate propagated in a way that it is displayed by Chrome and IE (It seems it was a certificate tempalte issue). Furthermore certutil -verifystore tells me that the signature was successful and the certificate is valid. When I use certutil my KSP is called and able to do the signing operation.

However, when I select the certificate for authentication in the browser the authentication fails with HTTP 403. Looking in my KSP logs I see that it is not called. Is there anything else I have to do when registering my KSP or the certificate in order to get this to work?

I added the code I use for propagation. The documentation for the dwFlags-param of the CertSetCertificateContextProperty()-method does not help me at all so it is possible that the problem lies here.
– FrankApr 3 '18 at 15:25

No, I mean one of these: CERT_HCRYPTPROV_OR_NCRYPT_KEY_HANDLE_PROP_ID or CERT_KEY_CONTEXT_PROP_ID.
– Crypt32Apr 3 '18 at 17:49

No, I do not set any of these. I thought it would be sufficient to couple my KSP with the certificate. Do I need to add the other props, too? Do you have a link to some documentation explaining this?
– FrankApr 4 '18 at 10:25

No, I don't have any links, sorry. And nevermind, it appears that CERT_KEY_PROV_INFO_PROP_ID property should be sufficient for client certificate picker to determine if private key is attached.
– Crypt32Apr 4 '18 at 11:05